Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe"	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 364 set thread context of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2580 wrote to memory of 364	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2580 wrote to memory of 364	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2580 wrote to memory of 364	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2580 wrote to memory of 364	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 364 wrote to memory of 1588	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1588 wrote to memory of 2732	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 1588 wrote to memory of 2732	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 1588 wrote to memory of 2732	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 1588 wrote to memory of 2732	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe

"C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	doddyfire.linkpc.net	udp
MA	41.249.109.69:10000	doddyfire.linkpc.net	tcp

Files

memory/2580-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

memory/2580-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

memory/2580-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab736D.tmp

MD5	49aebf8cbd62d92ac215b2923fb1b9f5
SHA1	1723be06719828dda65ad804298d0431f6aff976
SHA256	b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512	bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7390.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	415551c8a364009bd4243b4060ca296a
SHA1	ee638eb251256c1e84b2ffa9d5e4ca100be89f2c
SHA256	9b1ea0d910b5cab9c8d51e9b72ca148a387a33f9de6fdaa41672d9bff2342b33
SHA512	5c26111d502705dac8b1cf9e3e7039bf092c12565c9aedd29620420d290ef708ce42e3ead02742f9222a8a4dc3e751f5c835bcf9fd2271d0211b3a8af4dbb97e

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5	afe3b851ae773f3c2658f298ce0bb7c5
SHA1	0cc5398ed749adf2b6a4009cc1d7d50bd1a7c3a4
SHA256	c114e66a1a8eaa6821a0a451c6b03690d82a49582333d68b25e917321b189584
SHA512	5c763539a4ccbfb94e04a35e87dc45629dff3b0f62022f5efcd93e3529a99b38959c2a182e1cd21f8393cff992e6d2f3b1424cd2ad8947afd49c05d8c799087d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	6c6c7cbd353e556939477dd60f9d18a7
SHA1	88329d42cc2b3d115833306d1f9cca1fcee89808
SHA256	80468c4a8dab14b8ed5e4adad59818540e3f8d46abd8b377932876ee0bd2a78c
SHA512	ad40f8859b5804f1ca18a5e165984a7814b3661070e453946f284df179f5150c5cfe07fe3e09f0d8ffac686c36fa6eb3f485d2652ad08d088e9f95d65a024511

memory/2580-185-0x00000000749F0000-0x0000000074F9B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	5ef941beff436495f822976af46fd53b
SHA1	4b0146bc499c3e2dcae70daeab29d15d8d595959
SHA256	73fac071c7a9072e94e605bfe63c40dbf58802dab92056c4db59c9da95bc7a6b
SHA512	65d9a6da31450da1a8c95367afbb4b936623b8f65998019dc6126456a9c1d33006893f127574123fe089f7ff64cd5f64d8c0e31476a50295ec030ad1ee6ce96f

memory/1588-341-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1588-344-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1588-343-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:36

Reported

2024-06-16 00:38

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\netsh.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe"	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 4832 set thread context of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2476 wrote to memory of 4832	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2476 wrote to memory of 4832	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2476 wrote to memory of 4832	N/A	C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4832 wrote to memory of 4460	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4460 wrote to memory of 3164	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 4460 wrote to memory of 3164	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 4460 wrote to memory of 3164	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe

"C:\Users\Admin\AppData\Local\Temp\99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	0.205.248.87.in-addr.arpa	udp
US	8.8.8.8:53	68.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	45.19.74.20.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
MA	41.249.109.69:10000	doddyfire.linkpc.net	tcp
US	8.8.8.8:53	69.109.249.41.in-addr.arpa	udp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	92.12.20.2.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53		udp

Files

memory/2476-0-0x0000000075442000-0x0000000075443000-memory.dmp

memory/2476-1-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/2476-2-0x0000000075440000-0x00000000759F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5	4bba078bbc26ff84af83b8286207f228
SHA1	3ec01d0be25dd613f5a4d21f7b17d52c665f47eb
SHA256	39316e848f402efc99b4afb19c590a5d0c1251d08c46785e15320d0d1a02a95e
SHA512	b75890279c5d009db06143066697fcecb40527f11919aa493eb68063c34c194ba0537f85632c3f1f281da7d50959aa36f8165a866cda897b4300b5c517c57385

memory/2476-17-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4832-18-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4832-19-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4460-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5	0a9b4592cd49c3c21f6767c2dabda92f
SHA1	f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256	c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512	6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/4460-24-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4460-25-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4832-27-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4460-26-0x0000000075440000-0x00000000759F1000-memory.dmp

memory/4460-28-0x0000000075440000-0x00000000759F1000-memory.dmp

Sample ID	240616-axw3ka1hkh
Target	99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3
SHA256	99ece485b86961597abf8a710eb239f12fc1d7952cf4cb7e5c5df997e1dd96a3
Tags	njrat neuf evasion persistence trojan

Malware Analysis Report

2024-08-06 19:49

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files